Cyber exposure has become a pressing liability for directors and officers. Given that cybercrime has skyrocketed over the last few years, that's not surprising. What's alarming, though, is that business leaders have been slow to respond to these new threats.

Cyberattacks and data loss “are the top risks facing directors and officers, with cyber extortion and the growth of ransomware attacks a leading concern," according to a directors' liability survey conducted by WTW and Clyde & Co.

A separate Gartner report revealed that 88% of boards regard cybersecurity as a business risk rather than solely a technical IT problem. Overwhelmingly, directors understand that cyber poses a fundamental threat to their companies. Yet, only 15% of boards have responded in a measurable way, such as “by instituting cybersecurity-specific board committees overseen by a dedicated director," the Gartner report says.

Seemingly, companies are aware of the growing cyber problem, but they aren't doing much about it. This is despite the fact that most businesses have been hit by some form of cyberattack. For example, last year nearly every organization (96%) was struck by a phishing attempt, according to Mimecast.

Even when businesses do institute cyber controls, the majority of employees (67%) fail to adhere to them all the time, according to the Harvard Business Review. Employees often break security rules to get work done or help a fellow employee, according to HBR. And we all know—or should know by now—that human error is the leading cause of data-loss incidents, according to Verizon.

Cyber Liability: A Real Risk for Leaders

Cyber liability has become a very real risk for company leaders. If they haven't factored cyber risk into their directors & officers liability program, they are exposing themselves to potentially ruinous lawsuits. And with D&O litigation on the rise, business leaders cannot afford to be complacent about the cybersecurity deficiencies in their organizations or the lack of a board-level response.

Organizations also increasingly face cyber risks that are difficult to monitor and control. These include remote workers logging into their company network from home or a public WiFi hotspot—often in an unsecure manner—and the proliferation of unsupported third-party applications and Internet of Things (IoT) devices. At the same time, third-party vendors with less than adequate controls may be accessing a company's networks, a means by which cybercriminals surreptitiously penetrate an organization's defenses, according to a SecureLink and Ponemon Institute survey.

In addition, cyber threats can decrease the value of a merger or acquisition if the acquiring party discovers the seller failed to properly disclose a breach or didn't take appropriate steps to mitigate it. That can have significant D&O implications for the board members of the selling company.

Further, there is the issue of data security compliance. Companies that collect information on the internet, process credit cards or have customers in the European Union face a myriad of regulations. Failure to comply with these mandates can result in fines, and also litigation if a breach occurs. Directors could find themselves caught up in a class action lawsuit.

Understand the Market

Agents and brokers don't have to be experts in cybersecurity, but they do need to know the types of insurance coverage available in the market and how to protect a company's board and its executives. “D&O policies may cover lawsuits against the directors or entity stemming from cyberattacks, but firms need to fully understand their policies, or any potential coverage gaps, before such an incident occurs," wrote Rachel Soich, a consulting actuary for Milliman, in a Milliman Insight article. 

Some D&O policies exclude cyber, while others offer coverage, Soich notes. This is where agents must tread carefully, but it's also how they can best help their clients.

A good starting point for an agent or broker is to get cyber insurance for their clients' companies. Typically, a cyber policy covers the cost of a cyber incident, including restoring a firms' networks and computers, consumer notifications related to data breaches, business interruption expenses, customer credit monitoring and ransomware payments.

Cyber insurance can cushion the blow of a major incident, and purchasing it shows that a company's leaders are being financially responsible in protecting their operations, customers and shareholders.

“It would be easy to argue that directors breached their fiduciary duties by failing to purchase a cyber insurance policy to cover the high costs of a cyber incident," Soich warns. “Not having cyber insurance in place could leave directors potentially vulnerable to easily avoidable lawsuits."

Equally important is making sure clients are implementing cyber controls to prevent an incident from occurring in the first place. Mitigating risks also ensures that clients will qualify for cyber coverage in what has become an extremely tight market.

The Value of a Cyber Risk Assessment

There are many mitigation strategies, but businesses benefit from a cyber risk assessment to identify vulnerabilities in their systems and to recommend ways to prevent future threats. An assessment can provide insight into how customer data is stored, who has access to networks, the level of password security, regulatory compliance issues and the extent of cloud and third-party risk.

Since insurance clients may need to demonstrate to insurers that they have effective cyber controls, a cyber risk assessment is a good first step. Small and midsize businesses may also benefit from partnering with a cybersecurity firm that can help them execute the recommendations that come out of an assessment.

High-profile cyberattacks on businesses and governments, along with rising cyber litigation costs, should be a wake-up call to directors and officers that doing nothing is not an option. Agents can help these leaders step up by encouraging them to address their cyber risks head-on and to get the insurance coverage they need.

Bill Haber is co-founder of TEKRiSQ, a technology company focused on helping agents in the small to midsize market quickly diagnose their client's cyber risks and develop mitigation strategies. He has more than 25 years of commercial and operational leadership experience in enterprise software, digital health, medical device and network technology startups.